4 Replies Latest reply on Dec 17, 2007 11:41 AM by gspillman

    Problems with SynchronizingLoginModule

    gspillman
    gspillman Oct 11, 2007 10:33 AM

      I am encountering two problems when utilizing the SynchronizingLoginModule.

      1. Role assignments are still syncing even when "synchronizeRoles" is set to false

      2. Dashboard displays the following error. It is fixed by removing the "SynchronizingLoginModule" from login-config.xml

      HTTP Status 403 -
      --------------------------------------------------------------------------------
      type Status report
      message
      description Access to the specified resource () has been forbidden.
      --------------------------------------------------------------------------------
      JBossWeb/2.0.0.GA

      Both problems were discovered using JaasLounge(http://jaaslounge.sourceforge.net/) NTLMLoginModule, but can be duplicated using JBoss' UsersRolesLoginModule.

      The Dashboard problem was originally discussed in the following thread, but seams to be a different problem since it can be duplicated using JBoss code only.
      http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119733

      Configuration:
      Windows XP Professional Service Pack 2
      JBoss Portal 2.6.2 + JBoss AS 4.2.1 Bundle

      ${jboss.server.home.dir}\deploy\jboss-portal.sar\conf\login-config.xml: 
      <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
 <module-option name="unauthenticatedIdentity">guest</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
 <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
</login-module>

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" />

<login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
 <module-option name="synchronizeIdentity">true</module-option>
 <module-option name="synchronizeRoles">false</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="defaultAssignedRole">User</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
 <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
</login-module>

      ${jboss.server.home.dir}\conf\defaultRoles.properties: 
      testuser=test
testuser2=test2

      ${jboss.server.home.dir}\conf\defaultUsers.properties: 
      testuser=testrole1,testrole2
testuser2=testrole3,testrole4


      Procedure:
      1. Apply above configuration, run JBoss, and navigate to portal using browser.
      2. Login using testuser/test.
      3. Logout
      4. Login using admin/admin
      5. Click on the "Admin" link
      6. Click on the "Members" tab
      7. Click on "User Management" sub tab
      8. Click on "Search Users" link
      9. Find the "testuser" that should have been auto created in step #2
      10. Click on "Role Management" sub tab
      11. Click on "Create New Role" link
      12. Enter "portalrole" for both "Role" and "Display Name" edit boxes
      13. Click "Submit" button
      14. Click on "User Management" sub tab
      15. Click on "Search Users" link
      16. Click on the "Roles" link to the right of "testuser"
      17. Click the "portalrole" checkbox.
      18. Click the "Submit" button.
      19. Logout
      20. Login using testuser/test
      21. Navigate around the portal at your leasure (Sometimes this step can be skiped)
      22. Logout
      23. Login using admin/admin
      24. Click on the "Admin" link
      25. Click on the "Members" tab
      26. Click on "User Management" sub tab
      27. Click on "Search Users" link
      28. Click on the "Roles" link to the right of "testuser"

      The "portalrole" is now not checked. If the synchronizeRoles is set to false, how can this be?

      29. Logout
      30. Login using testuser/test
      31. Click the "Dashboard" link.

      The HTTP Status 403 error described above will be displayed.

      Any help would be appreciated. This problem is holding us up from deploying to a production environment.

      • 3436 Views
      • Tags:
        • 1. Re: Problems with SynchronizingLoginModule
          gspillman
          gspillman Oct 18, 2007 8:50 AM (in response to gspillman)

          There have been no responses to this message, and the time I have to complete the project is getting short.

          Our goal was to synchronize only the identities, leaving JBoss Portal to manage it's own set of roles. I thought using SynchronizingLoginModule with synchronizeRoles set to false would allow us to do this.

          However, the only difference the synchronizeRoles flag makes is in creating new roles. It still changes the state of existing roles based on what roles it finds in the previous login module, regardless of what the synchronizeRoles flag is set to. Since the JBPortal roles we set up are not in the NT Domain, it always turns our roles off when the user signs on. I have seen this behavior with both the NTLMLoginModule from JassLounge, and the UsersRolesLoginModule included in JBPortal.

          Can no one duplicate this problem?
          Is something in the problem or the procedure unclear?
          Is there an alternative that achieves the above goal?

            • Actions
          • 2. Re: Problems with SynchronizingLoginModule
            bdaw
            bdaw Nov 2, 2007 5:24 AM (in response to gspillman)

            Hi,

            Could you fill in a jira bug report for this and assign to me? I'll look at it for 2.6.3

              • Actions
            • 3. Re: Problems with SynchronizingLoginModule
              gspillman
              gspillman Nov 2, 2007 10:32 AM (in response to gspillman)

              Have created the following JIRA bug reports:

              SynchronizingLoginModule synchronizeRoles still syncs existing roles when set to false
              http://jira.jboss.com/jira/browse/JBPORTAL-1778

              SynchronizingLoginModule prevents access to Dashboard
              http://jira.jboss.com/jira/browse/JBPORTAL-1779

              I was unable to find any way to assign these directly to you. Hopefully you can handle that on your end.

              Thanks for offering to help.

                • Actions
              • 4. Re: Problems with SynchronizingLoginModule
                gspillman
                gspillman Dec 17, 2007 11:41 AM (in response to gspillman)

                I have confirmed that both bugs have been fixed in 2.6.3.

                Thank you Boleslaw for you efforts.

                Guy

                  • Actions